Nadia, Thanks for investigating QGIS server security. However, I would expect a vulnerability report to go a bit beyond than just using a generic security scanner that can have false positives, especially here as all components involved are open source so it is possible to look at the code, instrument it etc.. So a report should point to the exact line of code where the vulnerability is triggered and/or provide an exploit.
For the long GET request, this is very very unlikely to be a buffer overflow. Considering that the following is a valid request: https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=WMS&VERSION=1.3.0&project=demogis&repository=demogis And the same but with just FOO instead of WMS for the value of SERVICE leads to the 500 error: https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=FOO&VERSION=1.3.0&project=demogis&repository=demogis Looking at the error message, a bit of googling shows that it comes from LizMap source code, not QGIS server: https://github.com/3liz/lizmap-web-client/blob/master/lib/jelix/core/response/error.en_US.php Furthermore Jelix is a PHP component, so not native code, hence buffer overflow vulnerabilities leading to arbitrary code execution aren't relevant here (unless you'd trigger a vulnerability of the PHP executable itself!) I haven't look at the other things reported, but they are likely to be LizMap specific rather than QGIS-server, unless otherwise proven. Even -- Spatialys - Geospatial professional services http://www.spatialys.com _______________________________________________ QGIS-Developer mailing list [email protected] List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
